Analysis
-
max time kernel
115s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08-01-2025 13:09
Behavioral task
behavioral1
Sample
a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
Resource
win7-20241010-en
General
-
Target
a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe
-
Size
90KB
-
MD5
a38465706d079d0ccb6ee3ac3370393f
-
SHA1
4c6db81007225f615f8c910cdeb959a5c95a6aeb
-
SHA256
a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f
-
SHA512
42c70b1eb2174241bf769b4b5acc99a70ef310d4b157e2e54ed512bc8ca80b73d197536bd35c77e64abb261afb819ba1d13c725db88a43991523e389adb75b87
-
SSDEEP
768:tMEIvFGvZEr8LFK0ic46N4zeSdPAHwmZGp6JXXlaa5uA+:tbIvYvZEyFKF6N4aS5AQmZTl/5W
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 2956 omsecor.exe 1948 omsecor.exe 2332 omsecor.exe -
Loads dropped DLL 6 IoCs
pid Process 2548 a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe 2548 a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe 2956 omsecor.exe 2956 omsecor.exe 1948 omsecor.exe 1948 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2956 2548 a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe 30 PID 2548 wrote to memory of 2956 2548 a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe 30 PID 2548 wrote to memory of 2956 2548 a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe 30 PID 2548 wrote to memory of 2956 2548 a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe 30 PID 2956 wrote to memory of 1948 2956 omsecor.exe 32 PID 2956 wrote to memory of 1948 2956 omsecor.exe 32 PID 2956 wrote to memory of 1948 2956 omsecor.exe 32 PID 2956 wrote to memory of 1948 2956 omsecor.exe 32 PID 1948 wrote to memory of 2332 1948 omsecor.exe 33 PID 1948 wrote to memory of 2332 1948 omsecor.exe 33 PID 1948 wrote to memory of 2332 1948 omsecor.exe 33 PID 1948 wrote to memory of 2332 1948 omsecor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe"C:\Users\Admin\AppData\Local\Temp\a94faea1e462e715ca28d2d3265a9cd5be3085dc09847cf0a08ba1c4cc063d8f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD58c60b488dfbc5baeb6def2e229c6c752
SHA1829563f186b5bb81341eeb955ae93f1fa681dd29
SHA256abc77c4d6c6d87348ef5de6e04449d13d48f1f77bb8b737f8ac4d73a50c416ac
SHA512e692b6941223e7edffac942bf54965c86e41222121035407155b5f1cf0910d983a40c29d3c4e8091dbf802985d0017b7e9a5bb5205cd9af55ed453b6d8087df9
-
Filesize
90KB
MD5cf47164a86cd7df0b69fd3493aadeb0f
SHA1c3ee7248a3e6b3744d8274a2ebd07dab79854717
SHA25633acd89e120c781924cacb1533097d76291a33b0b3db3918072ffd2223b38ff8
SHA512fbd558c4fca8409841fa6779b7b5bb7e4c3a2a90360eb701efef42948e5e5b452c9f089728a168a90d85cca01e78f9a52c95def805e92181b8a91ddeb993b771
-
Filesize
90KB
MD5930ca2d948b8bdc161b3e7c1bacafe2c
SHA197b3141c4124e82dd1249ffb51782c9dd83fc87a
SHA256134808b9e9ed4f04715ca19727aeefe3b72b8a2538d4db712f712994ee7c6f32
SHA5124479a1ad6e200e3e8074e5214ef2e7ce80299c2d82d1c5d5310cd0dde4223b404700189741913a9843a32cb0fbae41fced1b154abe1fcfe91c938e771117a046